EU/Swiss-U.S. Safe Harbor: More Scrutiny by the FTC?

06.22.15

On May 29, 2015, the Federal Trade Commission ("FTC") announced the approval of the final orders for two U.S. companies, TES Franchising, LLC ("TES") and American International Mailing, Inc. ("AIM"), settling complaints that the companies had engaged in deceptive trade practices in violation of Section 5 of the FTC Act. The FTC alleged that TES and AIM had falsely claimed on their websites that they were certified under the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework, respectively, even though their certifications had lapsed years ago.

Notably, the TES matter also turned on alleged misrepresentations concerning the nature of the company's Safe Harbor dispute resolution procedures. Specifically, TES stated on its website that Safe Harbor related disputes would be settled by arbitration in Connecticut and that the costs would be split between the consumer and TES. However, TES's official Safe Harbor certification, located at the Department of Commerce, provided that all disputes would be resolved through the European data protection authorities  which requires neither in-person hearings, nor any costs to the consumer. These developments likely indicate the beginning of increased FTC and Department of Commerce scrutiny of Safe Harbor, and data transfers conducted thereunder because of increasing pressure from EU member countries regarding Safe Harbor enforcement (which we discussed in our prior client alert "(Un)Safe Harbor and Cloud Services in Germany Under Scrutiny", and should be of interest to companies that are Safe Harbor certified.

Background

The U.S.-EU Safe Harbor Framework is a compliance tool for companies that wish to transfer personal data from the European Union/European Economic Area to the U.S. The EU Commission and the U.S. Department of Commerce negotiated the Safe Harbor program in 1999/2000, and the program is available upon self-certification by the company receiving personal data that its practices comply with privacy principles[1] similar to those found in the EU Data Protection Directive (95/46/EC).[2] The data flows are subject to strict commitments by the recipient entities regarding data privacy and security. The U.S.-Swiss Safe Harbor Framework is very similar.

FTC's Safe Harbor Enforcement

The total number of investigations by the FTC in regards to the U.S.-EU Safe Harbor Framework has never been very high, but has significantly increased since the beginning of 2014. To date, the FTC's investigations have focused principally on whether the subject companies had kept their certifications with the Department of Commerce current (versus expired) and related misrepresentations concerning the companies' participation in any privacy or data security program sponsored by the government or other self-regulatory or standard-setting organizations, such as TRUSTe. The FTC considers these types of misrepresentations to constitute actionable deceptive trade practices. Note, however, that while the FTC in most of these cases reviewed whether companies had timely renewed their self-certifications for the Safe Harbor program, the recent investigations did not address any substantive violations of the privacy principles inherent in Safe Harbor.

The recent TES settlement is significant because for the first time in almost three years the FTC went beyond the company's failure to renew its Safe Harbor certification. Instead, in the TES settlement, the FTC went one step further by claiming that the company misrepresented the nature of its Safe Harbor dispute resolution procedures. The investigation is therefore also focused on consumer protection and substantive privacy violations rather than pure procedural omissions. In this case, the FTC clearly viewed TES's website representations that Safe Harbor disputes would cost both money and time to resolve through arbitration as materially deceptive, given that TES's actual dispute resolution process was free and did not require in-person participation.

Alternatives to the U.S.-EU Safe Harbor Framework

For years, the Safe Harbor Framework has been criticized by European supervisory authorities for an alleged lack of enforcement. The German supervisory authorities even recently considered suspending data transfers on the basis of the U.S.-EU Safe Harbor Agreement as discussed in Orrick's recent client alert, "(Un)Safe Harbor and Cloud Services in Germany Under Scrutiny." There is also a pending decision of the European Court of Justice regarding the legality of data transfers to the U.S. under the U.S.-EU Safe Harbor Agreement (Schrems v. Data Protection Commissioner (Case C-362/14)).

Companies that want to avoid procedural (and now substantive) scrutiny into their Safe Harbor-based personal data transfers do have other options. Fairly popular are the so-called EU Model Clauses. The European Commission has issued standard contractual clauses for the transfers from data controllers to data controllers and /or processors established outside the European Union/European Economic Area. These standard contractual clauses provide adequate safeguards with respect to the protection of privacy and other fundamental rights of individuals. At least in the UK and Germany, the use of such Standard Contractual Clauses does not require any authorization of or notification to local data protection supervisory authorities.
Another less frequently used alternative is the use of Binding Corporate Rules, which is a set of rules on the processing of personal data in the form of a code of conduct which applies for the entire group of companies. Once approved by the competent data protection supervisory authorities in the EU member states, Binding Corporate Rules offer a transparent set of rules that permits the transfer of data between the EU and the U.S.

Next Steps

In light of these recent developments at the FTC, U.S. companies which use the U.S.-EU Safe Harborprogram should check and renew their self-certifications on a regular basis and audit their official Safe Harbor certifications with the Department of Commerce against any substantive privacy representations made on websites or other consumer-facing materials (e.g., terms of service, marketing, and advertising). It might also be worth considering alternative approaches to the U.S.-EU Safe Harbor program, especially the EU Model Clauses that provide for data protection commitments and that continue to be deemed adequate measures even by the German data protection authorities.
________________________________________
[1] The seven privacy principles are: notice, choice, onward transfer, security, data integrity, access and enforcement. The enforcement provisions require, among other things, that consumers whose personal data is transferred be provided a recourse mechanism to investigate and resolve complaints and disputes.
[2] For more information regarding the Safe Harbor framework, please refer to http://www.export.gov/safeharbor/